Saturday, December 09, 2017

… Introduced
in 2014, the framework is designed to help organizations,
particularly ones in the critical infrastructure sector, manage
cybersecurity risks. Some security firms and experts advise
businesses to use the NIST Cybersecurity Framework as a best practice
guide. Others, however, believe
such static guidelines cannot keep up with the constantly evolving
threat landscape, and malicious actors may even use it to devise
their attack strategy.

… According
to NIST, the second
draft for version 1.1 of the Cybersecurity Framework “focuses
on clarifying, refining, and enhancing the Framework – amplifying
its value and making it easier to use.”

The
second draft also comes with an updated roadmap
that details plans for advancing the framework’s development
process.

Cryptography was once the realm of academics,
intelligence services, and a few cypherpunk hobbyists who sought to
break the monopoly on that science of secrecy. Today, the
cypherpunks have won: Encryption
is everywhere. It’s easier to use than ever before. And no
amount of handwringing over its surveillance-flouting powers from
an FBI director or attorney general has been able to change that.

Thanks in part to drop-dead simple, increasingly
widespread encryption apps like Signal,
anyone with a vested interest in keeping their communications away
from prying eyes has no shortage of options.

Four
distinct groups of cybercriminals have emerged, serving as the new
syndicates of cybercrime: traditional gangs, state-sponsored
attackers, ideological hackers and hackers-for-hire. This is the
central thesis of a new report titled 'The
New Mafia: Gangs and Vigilantes'.
In this report, the gangs are the criminals and the vigilantes are
consumers and businesses -- and the vigilantes are urged to 'fight
back'.

The
report (PDF)
is compiled by endpoint protection firm Malwarebytes. It is designed
to explain the evolution of cybercrime from its earliest, almost
innocuous, beginnings to the currently dangerous 'endemic global
phenomenon'; and to suggest to consumers and businesses they don't
need to simply accept the current state. They can fight back.

Fighting
back, however, is not hacking back -- or in the more
politically acceptable euphemism, active defense.

Canadians don’t give up their right to privacy after sending a text
message to another person, the country’s top court has ruled. It’s
a decision that one privacy lawyer said still means if you want to
ensure privacy, encrypt your text messages.

The case involved an Ottawa area man who had his conviction for
firearms offences dismissed after the Supreme
Court of Canada ruled today that evidence of text messages he
sent and found on an alleged accomplice were wrongly admitted as
evidence at his trial. Essentially,
the court ruled that without a search warrant the accused right to
privacy under the Charter of Rights had been violated.

Police in fact had a warrant to search the house of a man the court
calls M and the alleged accomplice and seized their cellphones.
However, the trial judge ruled that warrant was invalid for technical
reasons and the text messages on M’s phone couldn’t be entered as
evidence.

Read more on IT
World. This is actually quite huge and a slap on the side of the
head to the U.S., where third party doctrine would suggest that there
is no expectation of privacy. As Solomon reports, in Marakah,
the court held:

“An individual does not lose control over information for the
purposes of s.
8 of the Charter
[the right to privacy] simply because another individual possesses it
or can access it,” the court ruled. “Nor does the risk that a
recipient could disclose an electronic conversation negate a
reasonable expectation of privacy in an electronic conversation.
Therefore, even where an individual does not have exclusive control
over his or her personal information, only shared control, he or she
may yet reasonably expect that information to remain safe from state
scrutiny.”

This coming spring, the Supreme Court will hear
arguments in the United
States v. Microsoft– a case that will determine the
authority of U.S. law enforcement to compel, via a warrant, US-based
companies to turn over data held outside the United States. Over at
Lawfare, Orin
Kerr posits that Microsoft and the government—as well as the
numerous lower court judges that have weighed in—have missed the
core issue in the case. According to Kerr, the key is the All Writs
Act; the parties and lower court judges have, in contrast, all
focused on the Stored Communications Act. According to Kerr, only
the All Writs Act gives the Supreme Court the necessary latitude to
craft the kind of nuanced response that is needed.

This is a more detailed reprise of a claim that
Kerr made some two year ago. I disagreed then (see our back and
forth here).
And I disagree now.

… “Fines and penalties against Wells Fargo
Bank for their bad acts against their customers and others will not
be dropped, as has incorrectly been reported, but will be pursued
and, if anything, substantially increased. I will cut Regs but make
penalties severe when caught cheating!” Trump wrote.

… The financial industry is hoping regulatory
agencies will adopt a less aggressive approach to fines under the
Trump administration.

Those hopes were raised when Mulvaney, Trump’s
pick to lead the CFPB on a temporary basis, told reporters this week
that he was reviewing more than 100 enforcement actions currently in
the works, including litigation, cases that are being settled and
investigations. Mulvaney said he would delay at least two
enforcement actions, without naming them.

“The notion that this administration is or will
be tough on Wall Street doesn’t pass the laugh test, and that fact
is evident in deeds, not tweets,” said Lisa Donner, the executive
director of Americans for Financial Reform, a coalition of groups
advocating for tougher oversight of the financial system.

William Berglund, Robert J. Hanna and Victoria L.
Vance of Tucker Ellis write:

Maintaining robust cybersecurity measures that meet government- and
industry-recognized standards will provide businesses operating in
Ohio with a legal defense to data breach lawsuits, if a bill recently
introduced in the Ohio Senate becomes law.

Ohio
Senate Bill No. 220 (S.B. 220), known as the Data Protection Act,
was introduced to provide businesses with an incentive to achieve a
“higher level of cybersecurity” by maintaining a cybersecurity
program that substantially complies with one of eight
industry-recommended frameworks. See S.B. 220, Section 1,
proposed Ohio Rev. Code §§ 1354.01 to 1354.05.

Businesses that are in substantial compliance with one of the eight
frameworks outlined in S.B. 220 would be entitled to a “legal safe
harbor” to be pled as an affirmative defense to tort claims related
to a data breach stemming from alleged failures to adopt reasonable
cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code
§§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).

Not long ago, phishing attacks were fairly easy
for the average Internet user to spot: Full of grammatical and
spelling errors, and linking to phony bank or email logins at
unencrypted (http:// vs. https://) Web pages. Increasingly, however,
phishers are upping their game, polishing their copy and hosting scam
pages over https:// connections — complete with the green lock icon
in the browser address bar to make the fake sites appear more
legitimate.

According to stats
released this week by anti-phishing firm Phishlabs,
nearly 25 percent of all phishing sites in the third quarter of this
year were hosted on HTTPS domains — almost double the percentage
seen in the previous quarter.

Oof. I read something like this notification
below from Boise Cascade Company in Utah, and I wonder if the
employees had been regularly trained in avoiding phishing attacks, or
if it was just the case that the phishing was done so damned well
that the employees fell for it despite their training. In this case,
the intrusion was part of a scheme to alter or redirect employees’
payroll direct deposit accounts.

The Company’s investigation determined that a phishing scheme got
into its email system on or about October 31, 2017. Our
information technology team caught the scheme within minutes
of the first phishing email, blocked the email, and notified
employees not to click on the link in it or similar emails.
Unfortunately,
approximately 300 employees clicked on the link anyway.
The investigation further revealed that company-wide, 23 employees’
direct deposit instructions were changed.

I’d love to see what that phishing email looked
like if 300 people fell for it.

The
Cumulative Effect of Major Breaches: The Collective Risk of Yahoo &
Equifax

Until
quite recently, people believed that a dizzying one billion accounts
were compromised in the 2013 Yahoo! breach… and then it was
revealed that the real number is about three billion accounts.

That
raises the question: so what? Isn’t all the damage from a
four-year-old breach already done?

The
answer: not at all. For those who have taken control of the
compromised accounts, or who possess confidential information about a
billion or more individuals, the
Yahoo! breach is the gift that will keep on giving.

First
of all, the consequences of the breach are not yet fully realized.
Criminals have only recently started using compromised email accounts
to spread ransomware and spam. As email service providers
increasingly use the age of the sending account as an indicator of
risk, the value to criminals of long-established but compromised
accounts has started to increase. These accounts become a
circumvention strategy for criminals wishing to reliably deliver
malicious emails. As the value of an established account goes up,
the damage that can be done by using the compromised accounts does,
too.

Second,
criminals have only recently started to mine the contents of
compromised accounts to identify promising opportunities – but that
is increasingly happening now, and is becoming another source of
value to the Yahoo! attackers (and anybody who has already purchased
compromised accounts from them.) To a large extent, we are still in
the “manual effort” phase of this type of attack, wherein
attackers have not yet understood exactly what they are looking for,
and therefore, have not yet written scripts to automate the task.
Once their understanding matures and they automate the process, the
vast volumes of compromised accounts will turn into new criminal
opportunities.

And
the automated extraction of meaningful content will dramatically
increase the yield of the attacks that the criminals will be able to
mount. Think of it like this: if your account was compromised, and a
good friend or colleague gets an email from you … or rather, your
email account … with a malicious attachment, will they open it? If
the email is obvious spam, they probably won’t, but if the message
makes sense, they will; and if the attacker knows what you and your
contact normally talk about, that isn’t difficult to do.

There
is also a multiplier effect as the number of major
breaches of consumer data rises.

In
the recent Equifax breach, criminals made off with information for
more
than 145 million Americans, including names, mother’s maiden
names, social security numbers, addresses, birthdays, and more. But
not email addresses, and not banking affiliations and account
numbers. A
crafty attacker can easily match the names and birthdays of the
Equifax breach to the names and birthdays of the Yahoo! breach,
automatically generating very powerful combinations. With this
combined intelligence, the attacker can contact banks, posing as
banking customers, and gain access to accounts.

Despite the catastrophic
2015 hack that hit the dating site for adulterous folk, people
still use Ashley Madison to hook up with others looking for some
extramarital action. For those who’ve stuck around, or joined
after the breach, decent cybersecurity is a must. Except, according
to security researchers, the site has left photos of a very private
nature belonging to a large portion of customers exposed.

The issues arose from the way in which Ashley Madison handled photos
designed to be hidden from public view. Whilst users’ public
pictures are viewable by anyone who’s signed up, private photos are
secured by a “key.” But Ashley Madison automatically shares a
user’s key with another person if the latter shares their key
first. By doing that, even if a user declines to share their private
key, and by extension their pics, it’s still possible to get them
without authorization.

Read more on Forbes.
And no, that wasn’t Forbes’ headline for the story.

Thursday, December 07, 2017

Remaining
competitive is the primary motivation for implementing a corporate
'internet of things' (IoT) strategy; but 90% of those doing so admit
the implementation is struggling. Security
is the primary concern, holding back 59% of organizations
with a current IoT project.

Security
is followed by the cost of implementation (46%); competing priorities
(37%); an intimidatingly complex IT infrastructure (35%); and funding
(32%). The figures come from a survey (PDF)
published this week by Vanson Bourne, commissioned by the Wi-SUN
Alliance, which questioned 350 IT decision makers from firms in
the U.S., UK, Sweden and Denmark that are already investing in at
least one IoT project.

"Smart bags, also known as smart luggage,
have become more popular over the last few months, and they are
expected to be a popular gift this holiday season," said
American Airlines. "However, smart bags contain lithium battery
power banks, which pose a risk when they are placed in the cargo hold
of an aircraft."

The bags generally have USB ports where customers
can recharge their phones and other devices. They might also have
GPS to track the bag's location in case it gets lost, electronic
locks and a weight scale to prevent overpacking. Some even a motor
to propel the bags so that they can double as a scooter or just
follow their owner around the airport.

Airlines are worried that the batteries could
cause a fire in the cargo hold that would goundetected.
[Nonsense. The fire would
be detected immediately, but suppression is not always possible.
Bob]

… Oliver Schmidt, 48, was sentenced to 7 years
in prison and fined $400,000 in federal court here for his role in
the automaker’s diesel emissions cheating scandal. The German
national had pleaded guilty in August to two charges in Volkswagen’s
scheme to rig nearly 600,000 diesel cars to evade U.S. pollution
standards.

“This crime ... attacks and destroys the very
foundation of our economic system: That is trust,” U.S. District
Judge Sean Cox said Wednesday in sentencing Schmidt. “Senior
management at Volkswagen has not been held accountable.”

I wonder if anyone can keep all this law,
regulation, conflicting legal precedent, and political nonsense
organized enough to predict an outcome. I gave up long ago. Was Pai
betting on this, ignorant of it, or aware but indifferent?

The FCC’s
net neutrality plan may have even bigger ramifications in light of
this obscure court case

The plan by the Federal Communications Commission
to eliminate
its net neutrality rules next week is expected to hand a major
victory to Internet service providers. But any day now, a federal
court is expected to weigh in on a case that could dramatically
expand the scope of that deregulation — potentially giving the
industry an even bigger win and leaving the government less prepared
to handle net neutrality complaints in the future, consumer groups
say.

The case involves AT&T and one of the nation's
top consumer protection agencies, the Federal Trade Commission. At
stake is the FTC's ability to prosecute companies that act in unfair
or deceptive ways.

… The FTC has the power to sue misbehaving
companies that mislead or lie to the public. But that power comes
with an exception: It doesn't extend to a special class of businesses
that are known as “common
carriers.”

… Thus far, the common carrier exemption has
applied to a specific slice of the economy. But the case before the
U.S. Court of Appeals for the 9th Circuit, FTC v. AT&TMobility, could vastly expand the number of companies that
qualify for the exemption. In an
earlier decision in the lawsuit, a federal judge effectively said
that any company that runs a telecom subsidiary is considered a
common carrier.

… A company that provides Internet access,
such as AT&T, could seek an exemption from FTC net neutrality
enforcement by pointing to its voice business and claiming common
carrier status under the ruling. At the same time, the ruling could
limit AT&T's net neutrality liability under the FCC, because the
repeal of the net neutrality rules would mean the FCC would no longer
recognize AT&T's broadband business as one that can be regulated
like a telecommunications carrier.

One company among modernity’s forty-niners is
BrainCo, Inc. which has
created a headband
to measure and collect students’ brain waves, or EEG’s. Data
collected will then be sent to a teacher dashboard as part of the
company’s FocusEDU program. The company purports the technology
measures students’ level of attention, and claims that the EEG data
collected will help teachers and administrators determine when each
student is paying attention during a lesson and/or activity.

I am starting this post with a deeply appreciative
and respectful Thank You to Robert Ambrogi who has logged 15 years
and counting of blogging at his legendary Law
Sites. Bob’s unflagging support has been a touchstone for me
as I too completed 15 years of blogging here at my site, BeSpacific.
In a welcome follow-up to 2016, BeSpacific
is again included in the American
Bar Association (ABA) Web 100: Best law blogs for 2017.
In addition, BeSpacific received more than 600 votes to place a very
respectable Third in the 2017
Best Legal Tech Blog category via The Expert Institute’s Best
Legal Blog contest – the “annual competition that showcases the
very best that the legal blogging world has to offer.” Thank you
to all who voted. Reminder, please vote again in 2018!

Cinemark
announces $8.99-a-month subscription service to fill more seats —
and take on MoviePass

... The Plano, Texas-based company on Tuesday
said customers who pay a monthly fee of $8.99 will receive a credit
for one movie ticket a month. Subscribers can also buy additional
tickets for $8.99 each and get a 20% discount on food and drinks.

Cinemark's offer, dubbed Movie Club, marks the
latest move by theater chains to draw customers at a time when
cinemas are contending with increased competition from other forms of
entertainment, especially streaming services in the home such as
Netflix. It's also the cinema industry's first direct answer to
MoviePass, a New York start-up that offers unlimited movies in
theaters for $9.95 a month.

Tuesday, December 05, 2017

Over three
billion credentials were reported stolen last year. This means
that cybercriminals possess usernames and passwords for more than
three billion online accounts. And that’s not just social media
accounts; it’s bank accounts, retailer gift card accounts with cash
and credit cards attached, airline loyalty accounts with years of
accumulated frequent flyer points, and other accounts with real
value.

This statistic is alarming, but in fact it
significantly understates the scope of the threat. Because of a form
of attack called credential
stuffing, tens of billions of other accounts are also at risk.
Here’s how that attack works. Because most people have many online
accounts (a recent estimate put it at 191
per person on average) they regularly reuse passwords across
those accounts. Cybercriminals take advantage of this. In a
credential stuffing attack, they take known valid email addresses and
passwords from one website breach—for example, the Yahoo
breach—and they use those same email addresses and passwords to
log in to other websites, such as those of major banks.

… Our network statistics at Shape Security
show that a typical credential stuffing attack has up to a 2%
success rate on major websites. In other words, with a set of 1
million stolen passwords from one website, attackers can easily take
over 20,000 accounts on another website. Now multiply those numbers
by the total number of websites where users have reused their
passwords, as well as the number of data breaches that have been
reported, to get a better sense of the threat. Of course, that still
only includes the data breaches we know about. And new
research from Google indicates that phishing may be an even
larger source of stolen passwords than data breaches, making the
scope of the problem even larger.

“Great fleas have little fleas upon
their backs to bite 'em,

And little fleas have lesser fleas, and
so ad infinitum.”

Eventually, well before “infinitum,” an AI
will create an AI that wants to rule the world.

Google's AI
made its own AI, and it's better than anything ever created by humans

The Google's Brain team of researchers has been
hard at work studying artificial intelligence systems. Back in May
they developed AutoML,
an AI system that could in turn generate
its own subsequent AIs.

For the time being, we’ll use humans. A really
good AI will take a while. After all, the rules keep changing.

In this age of
machine-learning-artificial-intelligence-driven blah blah blah, the
folks at YouTube have decided that to win the battle against violent
and racist content they must rely more on good old-fashioned human
beings.

In a pair
ofblog
posts today, the company elaborated on its strategy for stemming
the rising tide of unsavory video content that has turned services
such as YouTube, Facebook, and Twitter into bottomless cesspools of
fake news, terrorist propaganda, and Nazi-fueled rage.

Over the summer, YouTube trumpeted investments in
machine learning designed to find content that violates the company’s
terms of service. That effort will certainly continue.

But YouTube CEO Susan Wojcicki wrote that the
machine learning tools will now be complimented by expanded use of
carbon-based lifeforms.

(Related). We’ll get to the terrorist stuff
later? Meanwhile, we’ll make our own rules.

Instagram
will hide people taking selfies with animals amid fears they are
encourage abuse

You might accidentally be enabling abuse of
animals by taking selfies with them, a new report has warned.

Seemingly innocent animal selfies actually
encourages all kinds of exploitation and distress, according to an
investigation. And Instagram will now try and alert people to those
dangers, while discouraging them from posting such pictures.

US says it
doesn't need secret court's approval to ask for encryption backdoors

The US government does not need the approval of
its secret surveillance court to ask a tech company to build an
encryption backdoor.

The government made
its remarks in July in response to questions posed by Sen. Ron
Wyden (D-OR), but they were only made public this weekend.

The implication is that the government can use its
legal authority to secretly ask a US-based company for technical
assistance, such as building an encryption backdoor into a product,
but can petition the Foreign Intelligence Surveillance Court (FISC)
to compel the company if it refuses.

Oh, the horror, the horror! Perhaps they could
use it to attract Amazon’s second HQ?

Seeking to dispel "myths" about net
neutrality, the Trump administration's telecom chief instead put out
his own incomplete and misleading talking points when he suggested
that internet providers had never influenced content available to
their customers before neutrality rules took effect in 2015.

Iffy claims have come from the other side of the
debate, too, such as the notion that federal regulators had never
stepped in to make those providers change their service plans.
Although no such cases were brought, the Federal Communications
Commission was possibly on track to do so when the new administration
stopped the investigation.

Monday, December 04, 2017

If you can’t prevent a breach, can’t you at
least fake genuine concern? You know, the “At ,
we take your privacy and security very seriously” bit?

Mark Flamme reports on a Key Bank
breach where the bank’s response to notification of a problem is at
least as problematic as the breach itself.

After a customer found himself with access to
another customer’s complete history and details, he attempted to
alert the bank.

“They told me, ‘Don’t worry. Just don’t worry.’ That’s
all I can get out of them,” Brito said. “I sat on hold for 45
minutes for, supposedly, a supervisor who said, ‘Don’t worry.
We’re taking care of it.’ I can look at a Connecticut man’s
bank statements for the past 10 years. How is that a ‘don’t
worry’ situation?”

The Sun Journal didn’t have any better luck. A call to a 24-hour
hotline was answered by a representative who passed on a number for
the Key Bank Corporate Headquarters Customer Complaint Resolution
Department. Calls to that number, and to a third number for bank
executive relations, were not answered.

A message left at the Complaint Resolution Department was not
returned.

Now maybe the employee intended to be reassuring
with the “Don’t worry,” response, but that was unsatisfactory
to the now-worried customers. Think about what you could say in that
situation that might reassure a customer.

I should have posted this one a few weeks ago, but
better late than never if you care about tracking breaches in the
education sector. On November 16, Kara Seymour reported:

Two women, one from Yardley another from New Hope, have been arrested
after police say they illegally accessed the Bucks
County Community College computer network and changed
student grades, Newtown Township Police announced Thursday.

Alesisha Morosco, 30, of New Hope, and Kelly Marryott, 37, of
Yardley, were arrested Thursday. Police said Marryott got
the personal information of the faculty member at her job at a
medical office, and gave it to Morosco, who used it to
access the college’s computer network and change grades, including
her own.

A
memo from the U.S. Department of Homeland Security (DHS) warns that
China-based Da-Jiang Innovations (DJI), one of the world’s largest
drone manufacturers, has been providing information on critical
infrastructure and law enforcement to the Chinese government.

The
Los Angeles office of Immigrations and Customs Enforcement (ICE),
specifically its Special Agent in Charge Intelligence Program (SIP),
issued an intelligence bulletin back in August claiming that DJI is
helping China spy on the United States.

A
copy of the memo, marked “unclassified / law enforcement
sensitive,” was published recently by the Public Intelligence
project. The document, based
on information from open source reporting and a “reliable source”
in the unmanned aerial systems industry, assesses with
moderate confidence that DJI is providing data on U.S.
critical infrastructure and law enforcement to the Chinese
government. The authors of the memo provide several examples of law
enforcement and critical infrastructure organizations using DJI
drones. [No actual
examples of data going to China? Bob]

… The
intelligence bulletin also points to a recent memo of the U.S. Army,
which instructs units to stop using DJI drones due to cybersecurity
vulnerabilities, and a U.S. Navy memo on the operational risks
associated with the use of the Chinese firm’s products. DJI has
taken some measures to
improve privacy following the Army ban. [Poor
security is not espionage. Bob]

This happens with a lot of senior managers.
Secretaries reading and filtering emails. PR(?) handling social
media accounts. In all cases, the simple solution is to make certain
that the politician/executive/celebrity never has access to the
password for that account. This article is definitely worth reading.

Yesterday I had a bunch of people point me at a
tweet from a politician in the UK named Nadine
Dorries. As it turns out, some folks were rather alarmed about
her position on sharing what we would normally consider to be a
secret. In this case, that secret is her password and, well, just
read it:

My
staff log onto my computer on my desk with my login everyday.
Including interns on exchange programmes. For the officer on
@BBCNews
just now to claim that the computer on Greens desk was accessed and
therefore it was Green is utterly preposterous !!

This
illustrates a fundamental lack of privacy and security education.
All the subsequent reasons given for why it’s necessary have
technology solutions which provide traceability back to individual,
identifiable users.

President Donald Trump’s behavior on Twitter
routinely drives entire news cycles. This weekend, he showed that a
single word within a single presidential tweet can be explosive.

Trump raised alarm bells in his
published response to the news that his former national security
adviser, Michael Flynn, pleaded guilty to lying to the FBI.

The tweet published to Trump’s account clearly
implied that he already knew that Flynn had deceived the Feds when he
fired him back in February: “I had to fire General Flynn because he
lied to the Vice President and the FBI. He has pled guilty to those
lies. It is a shame because his actions during the transition were
lawful. There was nothing to hide!”

That unleashed a frenzy of speculation about
whether Trump had just admitted to obstructing
justice, since it seems he must have known that Flynn had
committed a felony when he was pressuring then-FBI director James
Comey to ease up on the Flynn case.

But then came word that maybe Trump didn’t write
the tweet after all.The
Washington Postreported that “Trump’s lawyer John Dowd
drafted the president’s tweet, according to two people familiar
with the twitter message.” The
Associated Press also identified Dowd as the one who “crafted”
the tweet, citing “one person familiar with the situation,”
though Dowd himself declined to make a comment to the AP.

The Sheltered
Harbor project is meant to ensure that every U.S. bank has a
protected, unalterable backup that can be used to serve customers in
case of a major hack

U.S. banks have quietly
launched a doomsday project they hope will prevent a run on the
financial system should one of them suffer a debilitating
cyberattack.

The effort, which went live earlier this year and
is dubbed Sheltered Harbor, currently includes banks and credit
unions that have roughly 400 million U.S. accounts. The effort
requires member firms to individually back up data so
it can be used by other firms to serve customers of a disabled bank.

Under the General
Data Protection Regulation (GDPR), companies that process large
amounts of sensitive personal data or consistently monitor data
subjects on a large scale will be required to appoint a data
protection officer (DPO).

As discussed in our previous posts, the DPO will have significant
responsibilities, including reporting on data to the highest
management level. While the DPO debate has so far been focussed on
where to place the DPO within company structures, confusion remains
over the DPO’s actual responsibilities.

Firstly, the GDPR does not provide for any specific liability for the
DPO. However, the Art. 29 Working Party addresses this issue in its
Guidelines
on Data Protection Officers of 13 December 2016.

CVS
to Buy Aetna for $69 Billion in a Deal That May Reshape the Health
Industry

… The transaction, one of the largest of the
year, reflects the increasingly blurred lines between the
traditionally separate spheres of a rapidly changing industry. It
represents an effort to make both companies more appealing to
consumers as health care
that was once delivered in a doctor’s office more often reaches
consumers over the phone, at a retail clinic or via an app.

… A combined CVS-Aetna could position itself
as a formidable figure in this changing landscape. Together, the
companies touch most of the basic health services that people
regularly use, providing an opportunity to benefit
consumers. CVS operates a chain of pharmacies and retail clinics
that could be used by Aetna to provide care directly to patients,
while the merged company could be better able to offer employers
one-stop shopping for health insurance for their workers.

Good to see that someone is thinking about
this – even if they only came up with four.

North Korea’s most recent intercontinental
ballistic missile (ICBM) test has once again captivated the
international community. Much less attention has been paid to how
South Korea is responding to its neighbor’s military advances.
Firstly, South Korea is acquiring
the capabilities to conduct preemptive strikes against North
Korea’s nuclear and missile sites under the guise of its “Kill
Chain” strategy. Relatedly, Seoul is seeking the capabilities and
simulating decapitation strikes against North Korea’s
leadership—that is, South Korea wants the ability to assassinate
Kim Jong-un and his inner circle.

Both capabilities pose enormous challenges that
are not being acknowledged. For both scenarios, Seoul is failing to
ask the simple question of whether the United States would back its
actions. Washington itself does not appear to be contemplating this
essential question, even though it would be directly implicated by
South Korea’s policies.

The Honolulu Police Department is ordering legal
cannabis patients to “voluntarily surrender” any guns they own
because pot is still considered an illegal drug under federal law.

The initiative continues three months after
Hawaii’s first medical marijuana dispensary opened for business.

“Your medical marijuana use disqualifies you
from ownership of firearms and ammunition,” Honolulu police Chief
Susan Ballard wrote in a Nov. 13 letter to one medical marijuana card
holder. “If you currently own or have any firearms, you have 30
days upon receipt of this letter to voluntarily surrender your
firearms, permit and ammunition to the Honolulu Police Department or
otherwise transfer ownership.”

New Study
Finds That Most Redditors Don’t Actually Read the Articles They
Vote On

It’s probably not at all surprising that most
content posted to Reddit is voted on more or less blindly. I’ll
cop to liking articles that friends have shared on Facebook without
reading, let alone evaluating them. I’d say there’s
even sort of an aggregation myth that pervades our view of social
media, that buried within discussions of fake news and social media
corporate responsibility is this assumption that people are actually
reading the articles, or at least that a lot of them are.
The data, however, suggests that they aren’t.

According to a
paper published in IEEE Transactions on Computational Social
Systems by researchers at Notre Dame University, some 73 percent
of posts on Reddit are voted on by users that haven’t actually
clicked through to view the content being rated. This is according
to a newly
released dataset consisting of all Reddit activity of 309 site
users for a one year period.

Earlier this year, Neil
Young announced that he was preparing to launch a massive
online archive, featuring all his music, released and unreleased,
for free in high
quality audio via his new XStream
Music streaming service. Today, on the release date of his new
album The
Visitor, he has launched the site. Indeed, the new Neil
Young Archives include a filing cabinet and timeline listing all
of his albums up through The Visitor, including several
unreleased items like Chrome Dreams, Homegrown, and
Toast (which are not yet available to stream). Also listed
are his film projects and books. Explore for yourself here,
and watch a tutorial video narrated by Young below. “Don’t
forget to have a good time,” he instructs users. “And try not to
get lost.”

Could this help my International students? (Or
help me read their papers?)

Rewordify
is a free site that can help students understand complex passages of
text. At its most basic level Rewordify takes a complex passage and
rephrases it in simpler terms. Students can adjust Rewordify's
settings to match their needs. For example, students can add words
to a "skip list" and those words will not be changed when
they appear in a passage. Students can also use Rewordify to simply
highlight difficult words instead of having them replaced. Watch the
video below for a complete overview of how Rewordify works.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.